One of the greatest advantages of having an Active Directory Domain is the possibility to install software package via GPO (Group Policy Object). Software deployment is crucial in business environments to save time and money.
Microsoft not only gives us a simple way to execute msi file, but also provides a quick solution to uninstall it when we don’t need it anymore.
1. Create a new GPO:- In Group Policy Management, expand the node of the desired forest, and then expand the Domains node in it. Right-click the Employees node, a context menu will open, in which select the Create a GPO in this daomain command, and Link it here
2. Name the object to be created:- In the New GPO dialog box, enter a friendly name for the new GPO, for example, Software Deployment. If you want to use the starting GPO as a source of parameters, select it in the Source Starter GPO list. When you click OK, a new GPO is added to the Group Policy Objects container.
3. Choose command Edit to change our policy:- Right-click the new GPO and select Edit. Configure the required settings in the policy editor and close the editor.
4. Choose new package in Software installation node:- In the Group Policy Management Editor snap-in, go to “Computer Configuration> Policies> Software Settings> Software installation”. Right click on the item “Software installation”, select “New> Packages”
5. Specify a network path to the software package:- In the window that appears, go to the previously prepared software distribution point and select the Windows Installer file, using which, the software will be installed. At this stage, pay attention to two features. First, the shared access to this folder should be open. The second, more important point: when choosing a folder, you need to specify not a local drive letter on your domain controller (in the event that the installation package is located on the domain controller), but the network path, since this location is published for client computers;
6. Select deployment method:- We are setting up a Computer Configuration policy, so we can only assign the application and not publish it. Assigned applications will be installed at the first reboot or policy update while published applications will be available for the users to be installed or removed. For this reason, you can only publish application to users. The Advanced option simply make us able to edit the application deployment Properties
7. Use default settings for deployment method:- In the properties dialog of the installation package, which pops up a few seconds after specifying the deployment method, you can specify additional parameters. After you have made all the necessary changes, click "OK."
8. Deployment set up window:- The policy editing window should look like this (screenshoot). Close the Group Policy Management window and open the Windows command prompt. At the command prompt, enter the command "gpupdate / force". The server will report that it will not be able to apply the installation policy without rebooting and will offer to reboot. Type in the command line "y" (in the English layout) and press the "Enter" key. The system will restart 1 minute after entering the command. Or just restart the server through the Start menu.
9. If you need to remove programs:- To remove software using GPO, in the Group Policy Management Editor snap-in, expand User Configuration \ Policies \ Software Configuration, go to the Software Installation node and click on this node with the left mouse button. Your installed program appears in the window. Click on it with the right mouse button and select "All tasks" => "Delete" from the pop-up menu.
10. Select removal method:- After that, the "Remove Applications" window pops up. Select in this window the option "Immediately remove this application from the computers of all users." Close the window of the Group Policy Management Editor, in cmd enter and execute the "gpupdate / force" command, and then restart the server.
Also consider using Action1 to install software remotely if:
- You need to perform this action on multiple (hundreds or even thousands) computers simultaneously.
- Some of your endpoints are laptops not connected to corporate network at all times.